CVE-2023-50896: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the weForms WordPress plugin (CVE-2023-50896). The vulnerability affects weForms – Easy Drag & Drop Contact Form Builder For WordPress versions through 1.6.17. The issue was discovered on September 2, 2023, and publicly disclosed on December 26, 2023 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It received a CVSS v3.1 base score of 4.8 (Medium) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a slightly higher score of 5.9 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts will be executed when guests visit the affected site (Patchstack).

The vulnerability has been patched in version 1.6.18 of the weForms plugin. Users are advised to update to version 1.6.18 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).